US sanctions Chinese cybersecurity company for firewall compromise, ransomware attacks

The Department of the Treasury is sanctioning Chinese cybersecurity company Sichuan Silence, and one of its employees, Guan Tianfeng, for their roles in the April 2020 compromise of tens of thousands of firewalls worldwide. Many of the victims were U.S. critical infrastructure companies.

The Department of Justice unsealed an indictment on Guan for the same activity. The U.S. Department of State also announced a Rewards for Justice reward offer of up to $10 million for information about Sichuan Silence or Guan.

“Throughout our five-year offensive operation against interlinked, Chinese nation-state adversaries — an operation we’ve named Pacific Rim — we successfully gathered critical intelligence about their activities. Notably, we could link much of the attackers’ exploit research and development to the Sichuan region of China, specifically, the Sichuan Silence Information Technology’s Double Helix Research Institute. In addition, after neutralizing a wave of attacks we named Asnarok, we uncovered links between the attacks and a person who went by the moniker GBigMao. Today, we are pleased that the Department of Justice has unsealed its indictment of Gbigmao, aka Guan Tianfeng, and the Treasury has sanctioned Sichuan Silence. This is a positive step towards disrupting these attackers’ operation,” Ross McKerchar, CISO at Sophos, told Help Net Security.

April 2020 firewall compromise

Guan Tianfeng discovered a zero-day exploit in Sophos Firewall. Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide.

The exploit aimed to use the compromised firewalls to steal data, including usernames and passwords. However, Guan also attempted to infect the victims’ systems with the Ragnarok ransomware variant.

More than 23,000 of the compromised firewalls were in the United States. Of these firewalls, 36 were protecting U.S. critical infrastructure companies’ systems. One victim was a U.S. energy company actively involved in drilling operations at the time of the compromise. If this compromise had not been detected, and the ransomware attack not been thwarted, it could have caused oil rigs to malfunction.

Guan Tianfeng and Sichuan Silence

Guan is a Chinese national and was a security researcher at Sichuan Silence at the time of the compromise. Guan competed on behalf of Sichuan Silence in cybersecurity tournaments and posted recently discovered zero-day exploits on vulnerability and exploit forums, including under his moniker GbigMao. Guan was responsible for the April 2020 firewall compromise.

Sichuan Silence is a Chengdu-based cybersecurity government contractor whose core clients are PRC intelligence services. Sichuan Silence provides these clients with computer network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression products and services. Additionally, Sichuan Silence provides these clients with equipment designed to probe and exploit target network routers. A pre-positioning device used by Guan in the April 2020 firewall compromise was in fact owned by his employer, Sichuan Silence.

OFAC is designating Sichuan Silence and Guan pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, for being responsible for or complicit in, or having engaged in, directly or indirectly cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector.